Enable synchronizer access

You must grant access to the Synchronizer service so that it can pull down Apigee artifacts from the management plane. To grant access, you need to call a Hybrid API. To call the API, you must first generate an access token from the Service Account key you downloaded when you completed the GCP account setup steps in the Apigee Hybrid Alpha User Guide. As explained in that guide, the Service Account must have Apigee Organization Admin permission. This permission level is required because the API needs write access to do a POST.

Perform these steps after you have completed all of the GCP account setup steps (described in the Apigee Hybrid Alpha User Guide) and Apigee has provisioned your Hybrid-enabled organization.

  1. Ensure that you have enabled the Apigee API. The simplest way to enable an API for your project is to use the Google Cloud Platform (GCP) Console. For complete details, see Enable an API in the GCP documentation.
  2. Obtain an OAuth 2.0 access token.
    1. You can now obtain an OAuth 2.0 access token to pass with calls to the Apigee API using one of the following methods.

      gcloud

      Use gcloud to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded in step 1 using GOOGLE_APPLICATION_CREDENTIALS environment variable:

      export GOOGLE_APPLICATION_CREDENTIALS=your_sa_credentials_file.json
      gcloud auth application-default print-access-token

      An OAuth2.0 token is returned.

      For more information, see gcloud beta auth application-default print-access-token.

      oauth2l utility

      Use oauth2l to obtain an OAuth 2.0 access token, passing the service account credentials JSON file that you downloaded in step 1.

      oauth2l fetch --json your_sa_credentials_file.json cloud-platform
    2. Copy the OAuth 2.0 token returned and store it in a variable, such as TOKEN. For example:
      export TOKEN=ya29....Ts13inj3LrqMJlztwygtM
  3. Call the following API to get a list of service accounts associated with your organization. This step is a good practice, because later when you add your service account to the org, you will overwrite any previously set accounts.
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:getSyncAuthorization" \
       -d ''
    

    The following output shows that there is a service account currently associated with the org:

    {
      "identities": [
        "serviceAccount:myorg@myproj.iam.gserviceaccount.com"
      ],
      "etag": "BwWJ9RCoWjc="
    }
        
  4. Call the following API. This API call adds your service account to the org and gives the synchronizer permission to download proxy bundles and other resource files that are required for the message processors to function properly.
    curl -X POST -H "Authorization: Bearer your_auth_token" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/your_org_name:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:full_service_account_name_1", \
       "serviceAccount:full_service_account_name_2"]}'"]}'
    

    Where:

    Property Description
    your_auth_token The token you fetched for your service account credentials.
    your_org_name The name of the hybrid organization that was provisioned for you.
    full_service_account_name The name of your service account. It is formed like an email address. For example: my_service_account@my_project_id.iam.gserviceaccount.com.

    In this example, a new service account is added to the identities array, preserving the service account that was already present:

    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:setSyncAuthorization" \
       -d '{"identities":["serviceAccount:my_new_service_account@my_project_id.iam.gserviceaccount.com", \
       "serviceAccount:original_service_account@my_project_id.iam.gserviceaccount.com"]}'
    
  5. To verify that the service account was set, call the following API to get a list of service accounts:
    curl -X POST -H "Authorization: Bearer $TOKEN" \
      -H "Content-Type:application/json" \
      "https://apigee.googleapis.com/v1/organizations/my_org:getSyncAuthorization" \
       -d ''
    

    The output looks similar to the following:

    {
      "identities": [
        "serviceAccount:my_new_service_account@my_project_id.iam.gserviceaccount.com",
         serviceAccount:original_service_account@my_project_id.iam.gserviceaccount.com],
        "etag": "BwWJgyS8I4w="
    }
        
  6. Go to the next step, Create an overrides file.